Simplify your stack and build anything. Or everything.
Build tomorrow’s web with a modern solution you truly own.
Code-based nature means you can build on top of it to power anything.
It’s time to take back your content infrastructure.

AWS RDS SSL Cert with postgres adapter

default discord avatar
sxl10111 months ago
4

Is it possible to pass an SSL certificate to the postgres adapter? I'm trying to connect to RDS over SSL as described here:

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL.Concepts.General.SSL.html

I've tried passing it in the connection string with ?sslmode=require&sslrootcert=path/to/cert.pem - this works locally and is also accessible during the nextjs build, but production api routes cannot access the cert:



ENOENT: no such file or directory, open 'path/to/cert.pem'




I've had a look at the adapter but can't see where I could pass the cert as base64 directly to the adapter as you can with drizzle, something like this:


db: postgresAdapter({


pool: {


connectionString: process.env.POSTGRES_URI || '',


ssl: {


ca: sslCertAsBase64,


},


},


}),



Is this possible?



On -beta.3

  • default discord avatar
    notchr11 months ago
    @925158527847268424

    You solved this/



    Did the base64 path work?

  • default discord avatar
    sxl10111 months ago

    No, but I haven't been playing with it since this morning.



    I'm about to start tinkering again so I'll let you know how it goes

  • default discord avatar
    notchr11 months ago

    Sounds good!

  • default discord avatar
    sxl10111 months ago

    Some progress - the ssl pool options weren't working because the URI contained "sslmode=require"


    if the connection string contains any ssl settings (including sslcert, sslkey, sslrootcert, or sslmode), it overwrites the ssl object.




    const sslCert = fs.readFileSync(path/to/bundle.pem').toString() ... db: postgresAdapter({ pool: { connectionString: process.env.POSTGRES_URI || '', ssl: { rejectUnauthorized: false, ca: sslCert, }, }, }),

    The cert is now passed correctly via the ssl object and works in local development.


    The api routes still can't see the certificate bundle, but that first step I think makes the problem easier to solve.



    Ok so I encoded the bundle as base64, whacked it into env variables and converted that to a utf-8 buffer.



    const base64Cert = process.env.SSL_CERT_BASE64


    const decodedCert = Buffer.from(base64Cert || '', 'base64').toString('utf-8')



    works perfectly.



    I didn't love the solution at first - I would rather have a hot swappable .pem that gets bundled into the config, but that's probably not possible with serverless... BUT, with vercel's shared Environment Variables, I can enter this once and replicate it across multiple projects using RDS, which is nice. Also allows for easy update!

Star on GitHub

Star

Chat on Discord

Discord

online

Can't find what you're looking for?

Get dedicated engineering support directly from the Payload team.